Facebook Moves to Kill App Passwords

Facebook is making it easier for developers to build post-password apps.

The social network introduced Account Kit this week at its F8 developer conference. Using the Account Kit SDK, app developers and site owners can let users log in without passwords—instead, they can use their phone number or email address—or Facebook login (an existing feature). It does not require people to have a Facebook account.

Chris Webber, security strategist for Centrify, said that the move will help users learn how to use mobile authenticators.

“With more and more consumer companies leveraging mobile devices for SMS-based authentication, users are going to grow familiar with this new authentication paradigm more quickly—which is great for both consumer and business-related security,” he said via email. “I’m sure that we’ll see cranky nay–sayers commenting across the internet. They’ll try to sound smart and assert that mobile devices can be lost or stolen, or that people can be out of coverage range and not receive an SMS notification, and so mobile authenticators have drawbacks. These people are missing the point entirely, and don’t understand that passwords alone provide next to no protection in today’s world. Mobile authentication raises the bar for security, and makes it much harder for attackers.”

There are some fail-safes built in as well. If a person chooses to sign into your app using their phone number, but doesn't receive an SMS, but does have a Facebook account, they can choose to receive a Facebook notification to complete the login process.

Moving beyond passwords is a growing drumbeat. According to a survey from SecureAuth, amidst the growing rate of cyber-attacks, the attitudes towards passwords have changed drastically of late. A whopping 91% of cybersecurity professionals agree that the traditional password will not exist in 10 years. And, 97% of respondents also believe new authentication techniques are reliable (such as fingerprint scans or two-factor authentication).

Evidence of this is seen in the strides that the FIDO Alliance has made. It aims to eliminate passwords in favor of strong authentication, has seen rapid growth over the last three months, with now more than 150 FIDO Certified biometric and two-factor authentication products in the hopper.

The growth marks a 50% increase in the last quarter—in January, it announced that it had passed 100 post-password certified solutions. The growth is mainly coming from Asia-Pacific.

“Billions of passwords have been stolen in the last two years,” said Webber. “Even decent passwords can be ‘brute forced,’ cracked by powerful computers in seconds. Leveraging a mobile phone, which most of us have with us at all times, as an authentication factor means that attackers can’t simply steal or crack a password and then get access to our sensitive data.”